diff options
| author | Qualys Security Advisory <qsa@qualys.com> | 2021-02-23 08:33:03 -0800 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-05-27 21:30:58 +0200 |
| commit | b6c1434e4765d1a53efa2f3046bfb20ba682b5d2 (patch) | |
| tree | 561440f802ded6128aa5ec09e2b624146f64e926 /src/ABOUT | |
| parent | f83d4a2b3fedd9a8a0e7367db82a68a719f08e30 (diff) | |
CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
Diffstat (limited to 'src/ABOUT')
0 files changed, 0 insertions, 0 deletions